pkispawn for KRA fails if pki_ds_base_dn and pki_ds_database are specified in KRA installation file and they match that of CA
Steps to Reproduce:
1. CA installation file [root@bkr-hv01-guest30 ~]# cat ca1.cfg [DEFAULT] pki_instance_name=pki-ca pki_user=pkiuser pki_group=pkiuser pki_audit_group=pkiaudit #NSS DB Token Password pki_token_password=Secret123 pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_signing_algorithm=SHA512withRSA pki_audit_signing_token=internal pki_subsystem_key_type=rsa pki_subsystem_key_size=2048 pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_token=internal pki_ssl_server_key_type=rsa pki_ssl_server_key_size=2048 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_signing_algorithm=SHA512withRSA pki_ssl_server_token=internal #Admin Password pki_admin_password= #Security Domain pki_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_security_domain_name=pki-ca-sec-domain pki_security_domain_password= #client Dir pki_client_dir=/opt/pki-ca pki_client_admin_cert_p12=/opt/pki-ca/caadmincert.p12 pki_client_database_dir=/opt/pki-ca/rootca/certs_db pki_client_database_password= pki_client_pkcs12_password= pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password= pki_ds_remove_data=True [CA] pki_admin_nickname=PKI CA Administrator for bkr pki_ca_signing_key_type=rsa pki_ca_signing_key_size=2048 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ca_signing_token=internal pki_ocsp_signing_key_type=rsa pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_token=internal pki_admin_name=caadmin pki_admin_uid=caadmin pki_admin_email=example@redhat.com pki_admin_key_type=rsa pki_pin= pki_import_admin_cert=False pki_ds_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_ds_base_dn=dc=pki-ca pki_ds_database=pki-ca pki_random_serial_numbers_enable=True 2. pkispawn of CA is successful 3.KRA installation file [root@bkr-hv01-guest30 ~]# cat kra.cfg [DEFAULT] pki_instance_name=pki-kra pki_https_port=31042 pki_http_port=31044 #NSS DB Token Password pki_token_password= pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_signing_algorithm=SHA512withRSA pki_audit_signing_token=internal pki_subsystem_key_type=rsa pki_subsystem_key_size=2048 pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_token=internal pki_ssl_server_key_type=rsa pki_ssl_server_key_size=2048 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_signing_algorithm=SHA512withRSA pki_ssl_server_token=internal #RootKRA Admin password pki_admin_password= #Security Domain pki_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_security_domain_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password= #Client Dir pki_client_dir=/opt/pki-kra/ pki_client_admin_cert_p12=/opt/pki-kra/kraadmincert.p12 pki_client_pkcs12_password= pki_client_database_password= #LDAP pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password= pki_ds_remove_data=True pki_ds_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com [Tomcat] pki_ajp_port=31009 pki_tomcat_server_port=31005 [KRA] pki_storage_key_type=rsa pki_storage_key_size=2048 pki_storage_key_algorithm=SHA512withRSA pki_storage_signing_algorithm=SHA512withRSA pki_storage_token=internal pki_pin= pki_transport_key_type=rsa pki_transport_key_size=2048 pki_transport_key_algorithm=SHA512withRSA pki_transport_signing_algorithm=SHA512withRSA pki_transport_token=internal pki_import_admin_cert=False pki_ds_base_dn=dc=pki-ca pki_ds_database=pki-ca 4. pkispawn KRA
Actual results:
pkispawn of KRA fails
Expected results:
pkispawn of KRA should be successful
Additional info:
Tje CA and KRA logs are attached to the associated bug. The following installation file for KRA works fine [DEFAULT] pki_instance_name=pki-kra pki_https_port=31042 pki_http_port=31044 #NSS DB Token Password pki_token_password=Secret123 pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_signing_algorithm=SHA512withRSA pki_audit_signing_token=internal pki_subsystem_key_type=rsa pki_subsystem_key_size=2048 pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_token=internal pki_ssl_server_key_type=rsa pki_ssl_server_key_size=2048 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_signing_algorithm=SHA512withRSA pki_ssl_server_token=internal #RootKRA Admin password pki_admin_password=Secret123 #Security Domain pki_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_security_domain_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #Client Dir pki_client_dir=/opt/pki-kra/ pki_client_admin_cert_p12=/opt/pki-kra/kraadmincert.p12 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 #LDAP pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=Secret123 pki_ds_remove_data=True pki_ds_hostname=bkr-hv01-guest30.dsal.lab.eng.bos.redhat.com [Tomcat] pki_ajp_port=31009 pki_tomcat_server_port=31005 [KRA] pki_storage_key_type=rsa pki_storage_key_size=2048 pki_storage_key_algorithm=SHA512withRSA pki_storage_signing_algorithm=SHA512withRSA pki_storage_token=internal pki_pin=Secret123 pki_transport_key_type=rsa pki_transport_key_size=2048 pki_transport_key_algorithm=SHA512withRSA pki_transport_signing_algorithm=SHA512withRSA pki_transport_token=internal pki_import_admin_cert=False
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457913 - Custom field type adjusted to defect - Custom field version adjusted to ''
Metadata Update from @mharmsen: - Issue priority set to: minor - Issue set to the milestone: FUTURE (was: 10.5)
Per 10.5.x/10.6 Triage: FUTURE
RHBZ: CLOSED UPSTREAM
alee: error case -- nice validation case to have, but tricky to see how to validate this.
Metadata Update from @mharmsen: - Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1457913)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2844
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.